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Abstract. Extending the classical Legendre's result, we describe all 
solutions of the inequality \a — a/h\ < c/fo^ in terms of convergents 
of continued fraction expansion of a. Namely, we show that a/h = 
{rpm+i ± spm)/ {rqm+\ ± sqm) for some nonnegative integers m, r, s such 
that rs < 2c. As an application of this result, we describe a modifi- 
cation of Verheul and van Tilborg variant of Wiener's attack on RSA 
cryptosystem with small secret exponent. 



1. Introduction 

The most popular public key cryptosystem in use today is the RSA [Tlj . 
Its security is based on the difficulty of finding the prime factors of large 
integers. 

The modulus n of a RSA cryptosystem is the product of two large primes 
p and q. The public exponent e and the secret exponent d are related by 
ed = 1 (mod (p{n)), where (p{n) = {p — l)(g — l)=n — p — q + 1. In a 
typical RSA cryptosystem p and q have approximately the same number of 
bits, and e < n. The encryption and decryption algorithms are given by 
C = mod n, M = C'^ mod n. 

To speed up the RSA encryption or decryption one may try to use small 
public or secret decryption exponent. The choice of a small e or d is espe- 
cially interesting when there is a large difference in computing power between 
two communicating devices, e.g. in communication between a smart card 
and a larger computer. In this situation, it would be desirable for the smart 
card to have a small secret exponent, and for the larger computer to have 
a small public exponent in order to reduce the processing required in the 
smart card. 

However, in 1990 Wiener described an attack on a typical RSA with 
small secret exponent. He showed that if d < n"''^^, then d is the denom- 
inator of some convergent of the continued fraction expansion of e/n, and 
therefore d can be computed efficiently from the public key (n, e). His result 
is based on the classical Legendre's theorem on Diophantine approxima- 
tions of the form |a — || < ^p-- Pinch extended the attack to some 
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other cryptosystems. In 1997, Verheul and van Tilborg proposed an exten- 
sion of Wiener's attack that allows the RSA cryptosystem to be broken by 
an exhaustive search when d is a few bits longer than n"'^^. 

In this paper, we will generalize Legendre's result to Diophantine approx- 
imations of the form | a — 1 1 < . We will show that this result leads to the 
more efficient variant of the above mentioned attacks. 

Our attack on RSA will closely follow Wiener's ideas, but let us very 
briefly mention some other attacks on RSA with small exponent d. In 1999, 
Boneh and Durfee fB] proposed an attack on RSA with small secret exponent 
which is based on Coppersmith's lattice-based technique for finding small 
roots of bivariate modular polynomial equation The attack works if 
d < n"'^^^. Similar attack was proposed Blomer and May if d < n^'^^. 
Recently, it was noted by Hinek, Low and Teske ^ (see also fTI) that these 
theoretical bounds on d are not correct (some quantity which appears in the 
analysis is not negligible). Also, it should be noted that the Coppersmith's 
theorem is for univariate case; in the bivariate case it is only a heuristic 
result for now. On the other hand, it seems that these attacks work well in 
practice. 

2. Wiener's attack on RSA 

In 1990, Wiener described a polynomial time algorithm for breaking a 
typical (i.e. p and q are of the same size and e < n) RSA cryptosystem if the 
secret exponent d has at most one-quarter as many bits as the modulus n. 
The Wiener's attack is usually described in the following form (see pi I15|): 

li p < q < 2p, e < n and d < ^ ^/n, then d is the denominator of a 
convergent of the continued fraction expansion of -. 

The starting point is the basic relation between exponents 

ed = 1 (mod (p{n)). 

This means that there is an integer k such that ed — k(p{n) = 1. Now, 
(p{n) ~ n implies ^ ~ f • More precisely, we have n — 3y/n < (p{n) < n and 

k e 
d n 



3k 1 
^ d^ ^ 2d2' 



Hence, by Legendre's theorem, ^ is a convergent of continued fraction ex- 
pansion of ^. 

If [ao; ai, a2, ...] is the continued fraction expansion of a real number a, 
then the convergents ^ satisfy po = oq, Qo = 1, Pi = oooi + 1> Q'l = oij 

Pi = aiPi-i+pi-2, 
Qi = aiqi^i + qi_2- 

Therefore, the denominators grow exponentially. This means that total 
number of convergents of - is of order 0(log n). If a convergent can be tested 
in polynomial time, this will give us a polynomial algorithm to determine d. 
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Wiener proposed the following method for testing convergents. Let | be a 
convergent of ^. If it is the correct guess for |, than (p{n) can be computed 
from (p{n) = (j)—l){q—l) = (be — l)/a. Now we can compute ^±2 from the 
identity 

pq-{p- 1)(9 - 1) + 1 ^ p + q 
2 2 ' 

and 2^ from the identity (^^)^ — PQ = (^^)^- If the numbers and 
obtained by these identities, are positive integers, then the convergent 
I is correct guess for |. We can also recover easily p and q from ^±2 and 

q-p 
2 • 

Another possibility for detecting the correct convergent is by testing which 
one gives a d which satisfies [M^Y = ^ (mod n) for some random value of 
M. 

Example 1. Let n = 7978886869909, e = 3594320245477, and assume that 
d < 561. Continued fraction expansion of ^ is 

[0; 2, 4, 1, 1, 4, 1, 2, 31, 21, 1, 3, 1, 16, 3, 1, 114, 10, 1, 4, 5, 1, 2], 

and the convergents are 

^ 1 4 5 9 41 50 141 4421 
' 2' 9' IT' 20' 91' TIT' 3T3' 9814' 

Applying test (2'^)'^ = 2 (mod n), we obtain d = 313. Of course, the same 
result can be obtained with the original Wiener's test. For f = we 
find 2+2 = 2878805, ^ = 555546, and this yields the factorization n = 
2323259 • 3434351 



We have seen in the previous example that the correct convergent was the 
last convergent with denominator less than | This suggests that perhaps 
it is not necessary to test all convergents. Wc will justify this assertion. 

To do that, we need more precise estimate of |^ — which corresponds 

to better approximation of (p{n). Assume that p < q < 2p. Then = 
2 + 2^±2! and thus 2^/?i <p + q< < 2.1214^^. This implies 

k e _ k{p + q) - k - 1 ^ 2k{^ - 1) 
d n dn dn 

Since k > - ■ — J^r- , 1 1 we obtain 

k e 2e 

d n n^n 
In the opposite direction we have 

A: _ e 2.1214fc 

d n d^/n 
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We may assume that n > 10^ Then f < 1.00023f , and finally 

k e 2.122 e 
(2) !--< 



k e 3.183 e 
- < 



Similarly we find that 

d n " n^/n 
if p < q < 8p. 

In the rest of the paper we will work under the assumption that p < q < 
2p, but the arguments can be easily modified to the case p < q < 8p. 

From and (jSJ we may conclude that | is unique (odd) convergent 
satisfying 

2e k e 2.122e 
< < 



n^/n d n n^fn 

Indeed, this follows from the fact that if Pm/Qm and Pm+2/Qm+2 are two 
successive (odd) convergents of a real number a, then Pm+2/Qm+2 at least 
twice better approximation of a than Pm/lm-, which is direct consequence of 
the following well-known property of convergents (see j2l Theorems 9 and 
13]) 

(3) < Q < . 

9m(9m+l ~l~ 9m j 9m Q.m(lm+1 

Furthermore, if ^ = — , then 



nVn nvn 



4.244e 2e ' 

and m is the unique odd positive integer satisfying this inequality. This 
observations lead to an efficient algorithm for finding the correct convergent 
in the Wiener's attack. Namely, ^ = — , where m is the smallest odd 



positive integer such that Qm^m+i > • 



As suggested in the original Wiener's paper, the attack can be slightly 
improved by using better approximation to |, e.g. j, where f = n — 
[2^/n\ + 1. This can be combined with known extensions of Legendre's 
theorem. Namely, there is an old result of Fatou |Q (see also 11, p. 16]) 
which says that if la - f I < 4, then f = 2- or Em+l^^ in 1981, Worley 
dBl (see also [S] and [ED proved that |a-f | < ^ implies | - £21 Pr^+i±Pn. 



qm ' 5m+l±grr 



2pm+l±Pm 3pm+l+Pm Pm+l±2pm Pm + l — 3pm 

2qm+l±qm ' 3qm+l+qm ' qm+l±2qm qm+l~3qm ' 

We have 

k e 0.1221 
0< - -- < 

d J ^Jn 

lid < 4.04^, then < ^ and d can be found in polynomial time 

(which extends the Wiener's attack by the factor 12). 
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More general extensions of Wiener's attack will be considered in next 
sections. 

3. VeRHEUL and VAN TiLBORG VARIANT OF WiENER'S ATTACK 

In 1997, Verheul and van Tilborg ^H] proposed the following extension of 
Wiener's attack. 

Let m be the largest (odd) integer satisfying ^ — f > ^7^^^- Search for 
H between fractions of the form ^P'^+i+'^P"' i_g, consider the system 

rPm+1 + SPm = k 

rqm+1 + sqm = d. 

The determinant of the system satisfies \pm+iqm — qm+iPm\ = 1, and there- 
fore the system has (positive) integer solutions: 

r = dpm ~ kq^ 

s = kqm+i-dpm+i- 

If r and s are small, then they can be found by an exhaustive search. 

Let us estimate the number of steps in this exhaustive search, i.e. let us 
find upper bounds for r and s. Let d = D^/n. 

Prom Q it follows r = dqm ~ |) < '^^^ estimate for s depends 

on the sign of the number - — £21+1 _ MI2^ , may expect that this number 

will be positive in 50% of the cases.) Assume that - — ^"^^ > M22e^ Then 

' n qm+l ny^ 

s = dqm+i < 2dqm+i < 



Qm+l'' qm+l'' Qm+2 

Since 

1 Pm+2 e 2.122e 2.122 



< ■ < ^ < 



9^+2(0^+3 + 2) qm+2 n n^/n ^/n 
we have 

qm+2 > 



V2.122(a„+3 + 2) 
Also, qm+i > 0*^+2+1 • Putting all these estimates together we obtain 

r < V2-122(a^+3 + 2)(a^+2 + l)D, 



s < V2-122(a^+3 + 2)D. 
Hence, in this case the number of steps is bounded by 
2.122(a^+3 + 2)(a„+2 + l)I?^. 
Assume now that ^ - < Then 

n qm+l — ris/n 
, fk Pm+1\ , (Pm Pm+1\ d 

s = dqm+1 -7 < dqm+1 = — 

^" 9m+l^ ^Qm Qm+l'' Qn 
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Pm + l 
Qm+l 

for Qm+i which is analogous to the estimate for qm+2 in the previous case: 



Since in this case is already £21+1 close enough to we have the estimate 



-1 > 



This implies 



V2.122(a^+2 + 2) 
< V2-122(a^+2 + 2)D, 



s < v'2.122(a^+2 + 2)(a™+i + 1)D 
and in this case the number of steps is bounded by 
2.122(a^+2 + 2)(a™+i + l)D2. 

In ^n], the authors propose that with reasonable probability (20%) the 
number of steps can be bounded by 2561?^. It is indeed true if we have in 
mind that partial quotients aj's are usually very small. In jlUl p. 352] the 
distribution of the partial quotients of a random real number a is given. 
Approximately, Oj will be 1 with probability 41.5%, ai = 2 with probability 
17.0%, Oj = 3 with probability 9.3%, Oj = 4 with probability 5.9%, etc. Our 
analysis shows that the success of Verheul and van Tilborg attack (when 
is of reasonable size) depends heavily on the size of corresponding partial 
quotients am+i, am+2 and am+3- And although they are usually small, we 
cannot exclude the possibility that at least one of them is large (see Examples 
12 and 131). Namely, the probability that ai > x is equal to log2(l + ^)> and 
this is a slowly decreasing function. 

In Section [5] we will propose a method how to overcome this problem and 
remove the dependence on partial quotients. A general result on Diophantine 
approximation from the next section will allow us to obtain more precise 
information on r and s which will reduce the number of steps in the search. 

4. Extension of Legendre's theorem 

Theorem 1. Let a he an irrational number and let a, b be coprime nonzero 
integers, satisfying the inequality 



(4) 



a 

""6 



c 

< 52' 



where c is a positive real number. Then (a, 6) = {rpm+iispm,rqm+i^sqm), 
for some nonnegative integers m, r and s such that rs < 2c. 

Proof. Assume that a < |, the other case is completely analogous. Let 
m be the largest odd integer satisfying 

a . Pm 
a < - < — . 

b qm 

If I > — , we will take m = —1, following the convention that p_i = 1, 
q-i = 0."' 
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Let us define the numbers r and s by: 

a = rpm+i + SPm, 

6 = rqra+l + Sgm- 

Since \pm+iQm — PmQm+i\ = 1) we conclude tliat r and s are integers, and 
since ^si+i < ^ < 2™. we have that r > and s > 0. 
From the maximality of m, we have that 

c 



Pm+2 a 


< 


a 






9m+2 b 




""6 



But 

Pm+2 _ a 
9m+2 



{arn+2qm+l+qTn)irPm+l+SPm) ~ (am+2Pm+l +Pm) ('"<?m+l +S9m) 



m+2 



sa.m+2 - r 



bqrn+2 

Therefore, we obtain 



b{sa.m+2 -r) < cq.m+2 = -((sam,+2 - r)qm+i + b), 

s 



which implies 

Furthermore we have 
1 



c c 

{sam+2 -r){b qm+i) < -b. 

s s 



> 



:Q-m+l 



sam+2 - r 



^b 



r + 



sqm 



Therefore, we obtain the following inequality 



(5) 



r - sram+2 + cam+2 > 0. 



We will consider © quadratic inequality in r. 

Assume for a moment that s'^am+2 > 4c. Then s^a^_|_2 
— 4c) ^, and therefore © implies 



4cs^a< 



m+2 



> 



■S^am+2 - ^Cs'^am+2 ] < 



2c 
s 



or 



r > ^ + S'^am+2 ~ 40520^+2^ > ^ (^S^am+2 - 2c). 

The first possibility gives us the condition rs < 2c, as claimed in the theorem. 
Let us consider the second possibility, i.e. 

„2, 



rs > s am+2 - 2c. 

Pm+2 
<Jm+2 



(6) 

Let us define t = sam+2 — f- Since < f > we conclude that t is a positive 
integer. Now we have 

a = rpm+l + SPm = {sam+2 - t)pm+l + SPm = SPm+2 " tpm+l, 

b = rqm+i + sqm = {sam+2 -t)qm+i + sqm = sqm+2 -tqm+i, 
and the condition © becomes st < 2c. 
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Hence we proved the statement of the theorem under assumption that 

Assume now that 5^0^+2 < 4c. Since r < sOm+2, we have two possibil- 
ities. If r < then rs < ^s^a„+2 < 2c, and if r > then 
t = sam+2 - r < ^sam+2 and st < ^5^0^+2 < 2c. 

□ 

Remark 1. It is not clear from the proof whether above theorem is valid for 
rationals ^ such that | < 22. = |^q,J , this case corresponds to the minus 
case with m = is the statement of the theorem. Indeed, let ^ = [aj — ^. 
Then f = po - ^ = 2^ = ^BlzfP^, and rs = ■ ^ < ■ ^ = c. 

Remark 2. The statement of the theorem is valid also for rational numbers 
a. Indeed, if a G Q, then there exist an integer j > such that a = —. 

The proof is identical as in the irrational case, unless a < | < ^^^—^ (or 

a > I > 1^)- If we define positive integers r and s by 

a = rpj + spj-i, 
b = rqj + sqj-i, 



then the inequalities 
and finally rs < c. 



a 



bq 



^ < -§2 and b > rqj imply rsqj < sb < cqj, 



Similar result as our Theorem ^ was proved, with different methods, by 
Worley. In jl8| Theorem 1], it was shown that there are three types of 
solutions of the inequality Two types correspond to + and — signs in 
{rpm+i ± spm, rqm+i ± sqm), while Theorem^shows that the third type can 
be omitted. 

Theorem ^ extends results for c = 1 and c = 2 cited in Section [2 The 
result for c = 2 has already found applications in solving some Diophantine 
equations. In ^Si, it is applied to the problem of finding positive integers 
a and b such that (a^ + b'^)/(ab + 1) is an integer, and in [HI it is used for 
solving the family of Thue inequalities 

\x^ - Acx^y + (6c + 2)x^y^ + Acxy'^ + /| < 6c + 4. 

We hope that Theorem ^ will also find its application in Diophantine anal- 
ysis. 



5. A VARIANT OF WiENER'S ATTACK 

In this section we propose new variant of Wiener's attack. It is very 
similar to Verheul and van Tilborg attack, but instead of exhaustive search 
after finding the appropriate starting convergent, this new variant also uses 
estimates which follow from Diophantine approximation (Theorem^. 
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Let m be the largest (odd) integer such that 

Pm ^ e ^ 2.122e 



We have two possibilities depending on whether the inequality ^^2i±2. > 4 is 
satisfied or not. 

Assume first that > 4. We are searching for § among the fractions 

qm+2 — a ° d 

of the form '''p--+^+^'p--+^ , As in Section we have 

rqm+i+S qm + 2 



qm+2 > 



V2.122(a^+3 + 2) 

Now we have 

/ , fPm+2 k\ 0-122e /'Pm+2 6 

r = dqm+2 J < dqm+2 ■ ^ < O.Obldgm+2 



and 



^qm.+2 dJ n^Jn yqm+2 n 



d 0.06lA/2.122(a,„+3 + 2) 
< 0.061 < ^ ^-^^ -D 

Qm+3 a.m+3 



, , / Pm+Z\ , , (Pm+2 Pm+Z\ d 



" 9m+3^ ^<lm+2 Qm+3 Qm+2 



< V2-122(a^+3 + 2) £». 

Hence, § can be recovered in at most r's' < 0-i295(a^+3+2) ^2 < 0.3885 L*^ 
steps. Here D = d/ ^fn^ as before. 

Pm+2 , fc 
<Jm + 2 d' 

/fc e 2.122e 2.122 _ 2.122L>2 

d n n\/n xfn d"^ 



We are in the conditions of the proof of Theorem ^ and we conclude that 

k rpm+l + SPm k SPm+2 " tpm+l , ^ 

— = or — = , where r, s and t are positive 

d rqm+i + sqm d sqm+2 - tqm+i 
integers satisfying rs < 4.2441)2, ^ 4.2441)2. 

From the Dirichlet's formula for the number of divisors we obtain im- 
mediately that the number of possible pairs (r,s) and {s,t) is 0(0"^ log D). 
However, r and s (resp. s and t) are not arbitrary. They satisfy the in- 
equalities r < am+2S and t < am+2S, which imply r < 2.061^0^+2-0 
and t < 2.061^am+2-D. In Section |21 we found that s < si, where si = 

LV2.122(a„+2 + 2)D\ if - - > ^ll^, and si = [^2.122(0^+2 + 2) 

n qm+i nyjn 

D 



( , 1^nl -f ^ / 2.122e 

(om+i + IjDJ it < Let So 

n qm+i n^Jn 



2.061- 



-v/Om+2 



We have 
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the following upper bound for the number of possible pairs (r, s): 

1 + 2 + • • • + So + —— + —-- + ••• + — 

So + 1 So + 2 si 

< Om+2So + ^^(log + 1) 

So + i 



< 5.248D^ + log(0.707 niax(Y^ (am+3 + 2)a.m+2) (Om,+2 + l)(flm+l + l)))- 

We have the same upper bound for the number of possible pairs (s,t). 

Hence, the number of steps in this attack is 0{D^ log A) [A = maxjoj : 
i = m + 1, m + 2, m + 3}). We may compare this with Verheul &; van Tilborg 
attack where the number of steps was 0{D'^A'^). 



Example 2. Let n = 7978886869909, e = 4603830998027, and assume that 
d < 10000000. Continued fraction expansion of ^ is 

[0, 1, 1, 2, 1, 2, 1, 18, 10, 1, 3, 3, 1, 6, 57, 2, 1, 2, 14, 7, 1, 2, 1, 4, 6, 2], 

and the convergents are 

1 3 4 11 15 281 2825 
' ' 2' 5' 7' 19' 26' 487' 4896' ■ 

We find that 

281 e 2.122e 11 

487 n n^/n 19' 
Hence m = 5 and we are searching for the secret exponent among the 
numbers of the form 26r + 19s or 487s — 26i or 4896r' + 487s'. By applying 
Wiener's test, we find that s = 12195, t = 17 gives the correct value for d, 
d = 5936963. 

Let us compare these numbers s and t with the numbers r and s obtained 
by an application of the Verheul and van Tilborg attack to the same problem. 
We obtain the same number s = 12195, but the other number r = 219433 is 
much larger than t = 77, which is in a good agreement with our theoretical 
estimates. 



Example 3. Let us take n = 7978886869909 again. For 1000 < d < 
1000000, we compare the quantities rs, obtained by Verheul and van Tilborg 
attack, with the quantity D^. The maximal value for rs/D^ is 78464.2 and 
it is attained for d = 611131. There are 591 d's for which rs/D"^ is greater 
than 1000. The average value of rs/D'^ for d in the given interval is 15.69. 

Similar analysis for the attack introduced in this section gives that the 
average value of the quantity min(rs, st,r's')/Z)^ for d in interval 1000 < 
d < 1000000 is 0.8397, with maximal value 4.026 attained for d = 437561. 
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